Super sloppy: First State customers kept in the dark

Asher Moses

Update 5:30pm:First State Super has just updated its website with a statement on the issue - the first time it is notifying its broader customer base since the breach.

Update 4pm: The Federal Privacy Commissioner, Timothy Pilgrim, announced today he was opening an "own motion investigation" into First State Super.

First State Super customers have been left in the dark over a serious security breach at the company, saying they only learned through media reports that hundreds of thousands of accounts may have been exposed.

First State Super chief executive Michael Dwyer.

Acting NSW Privacy Commissioner John McAteer says the apparent decision to notify just a small portion of its customers rather than the entire database was not acceptable.

Advertisement

Yesterday it was revealed that First State Super, which has over $30 billion in funds under management, called the police on private security consultant Patrick Webster after he informed them of a flaw that opened up access to the company's database of sensitive customer details. All identity thieves would need to do to gain access was change numbers in the URL bar.

Pure Hacking CTO Ty Miller said the type of vulnerability was "the fourth most common type of security vulnerability found within web applications", according to the Open Web Application Security Project. Pure Hacking identified similar vulnerabilities "on a regular basis across most industries".

McAteer voiced concerns about the issue today, saying it highlighted the need for laws forcing companies to disclose privacy breaches.

"I have a First State Super account. I did not receive notification ... how many accounts have been at risk and why has no formal, broad response been made to members or account holders?," said one of several customers who contacted Fairfax Media to complain about not being notified.

McAteer today revealed that personal details of First State Super's 770,000 customers may not have been at risk if only it had heeded a warning he sounded over a highly similar breach at the University of Sydney earlier this year.

He said in a phone interview that it was not acceptable that First State appears to only have informed the 500-odd customers whose accounts were accessed by Webster when he demonstrated the flaw.

The rest of its customers do not appear to have been directly informed and several have complained to Fairfax Media, both via email and in the comments of yesterday's story.

"Any client where there was a potential for their data to be compromised should be advised," said McAteer.

First State Super CEO Michael Dwyer said yesterday that there was no evidence that anyone other than Webster had gained unauthorised access to customer accounts. But several computer security consultants who are paid by companies to test their networks, speaking on condition of anonymity, said they highly doubted First State kept logs or had the ability to definitively check either way.

One customer who contacted Fairfax Media said: "I bet these accounts have all been accessed by someone long before Webster stumbled across this unbelievably stupid security flaw."

Dwyer did not respond to a call requesting comment today.

McAteer said the issue was very similar to a data breach at the University of Sydney earlier this year that exposed detailed records of thousands of students. In that breach the student's ID number was placed in the URL and simply tweaking the number brought up other students' private information.

"At the time, I warned organisations to be vigilant in checking the security of their client holdings, and to test for any flaws or patches required to prevent client details being accessed through their websites," McAteer said in a statement today.

McAteer said large corporations had dedicated IT staff and the community was entitled to expect from them "higher rates of awareness of information security risks and maintaining vigilant breach prevention programs".

Plenty of computer security experts have rounded on First State, not only for the heavy-handed way it treated Webster but also for failing to detect such a glaring and easily exploited security flaw. "Changing a number in a URL bar isn't even hacking ... anyone who configures their systems to work that way is negligent," said Patrick Gray, a specialist security journalist who first broke the First State story on his podcast, Risky.biz.

McAteer said the issue reinforced "the continued need to examine the legislating of mandatory breach notifications for organisations".

Recommendations from both the federal and NSW law reform commissions that mandatory data breach notification laws should be introduced have been with the state and federal governments for years but so far both have failed to implement the changes to privacy laws.

However, McAteer said discussions were back on the agenda following recent high profile breaches such as the hack attack on Sony's PlayStation Network and the voicemail hacking at News of the World.

"I'm not going to say they're dragging their feet ... government's have legislative agendas," he said.

"All I can say is [mandatory data breach notification laws] is a matter that the law reform commissions have reported on and recommended, and privacy commissioners have endorsed those recommendations."

McAteer, and many other privacy advocates, worry that there are large scale data breaches occurring on a regular basis but consumers are none the wiser because most companies are not obligated to report breaches.

Asked whether it was acceptable for someone like Webster to gain unauthorised access to a system if the end result meant improved protection of users' privacy, McAteer said: "At law if a person goes to a database for want of a better expression and hacks it, they may well be offending certain laws irrespective of motive."

First State Super's privacy obligations are jointly oversighted by both the federal and NSW privacy commissioners. McAteer's federal counterpart, Timothy Pilgrim, has yet to respond to requests for comment.

Subscribe to IT Pro

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.